UPDATE: New timeline for transitioning Sentinel experience to Defender portal

We’re sharing an important update to help Microsoft Sentinel customers and partners plan a smooth transition to the Microsoft Defender portal.

In July 2025, we announced that Microsoft Sentinel SIEM customers would have to transition from the Azure portal experience to the Defender portal by July 1, 2026. Since then, we’ve seen a large percentage of our customers adopt the new experience, however, we’ve heard consistent feedback from customers and partners—particularly those managing Sentinel environments at scale—about the importance of having additional time and capabilities in place to ensure a seamless migration.

To reduce friction and support customers of all sizes, we are extending the sunset date for managing Microsoft Sentinel in the Azure portal to March 31, 2027. This additional time ensures customers can transition confidently while taking advantage of new capabilities that are becoming available in the Defender portal.

 

Innovative experiences in the Defender portal

While we have extended the deadline to transition the Sentinel experience from the Azure to Defender portal, customers will benefit from beginning to plan their migration today. We have many new capabilities that help organizations to drive efficiency, stay safer and save money that are only accessible in the Defender portal.

These include:

• Security Copilot – A generative AI-powered security solution that provides a natural language, assistive copilot experience to support security professionals in incident response, threat hunting, intelligence gathering, and posture management. Agents help to further accelerate the work of the SOC.
• Sentinel data lake – A cloud‑scale security data foundation that unlocks long‑term retention and advanced analytics, enabling deeper investigations, richer historical context, and AI‑driven insights at massive scale.
• Sentinel graph – A connected security intelligence layer that links users, devices, alerts, behaviors, and incidents to illuminate attack paths and expose relationships that would otherwise remain hidden.
• Automatic attack disruption over sources like AWS and Proofpoint –  Attack disruption that stops active threats in real time by automatically breaking attacker progress.
• Enhanced SOC optimization recommendations – An intelligent optimization experience that continuously improves SOC effectiveness by mapping coverage to MITRE ATT&CK, highlighting gaps and redundancies, and guiding teams toward stronger, more efficient detection strategies.
• Modern data management: the Microsoft Defender portal lets customers manage the retention period and the store costs associated with their data.
• Future enhancements to SOAR and case management – Next‑generation automation and case management capabilities designed to streamline investigations, coordinate response, and empower SOC teams to operate at scale with greater speed and consistency.

Delivering a great experience for Sentinel customers

Over the past several months, we’ve made meaningful progress in addressing partner and customer feedback. We’ve made many enhancements, with more to come, including:

• Multi-tenancy management: We are updating our GDAP access delegation feature to support Sentinel and making it available to all customers and service providers. More announcements to come soon.
• Incident creation: To allow more flexibility and control of incident creation we have enabled the ability to selectively exclude detection rules from correlation. We will continue to invest in simplifying the transition of analytics rules to the Defender portal.
• Latency and reliability: We have addressed latency in alerts and are delivering high confidence in the reliability and auditing of all data in the Defender portal.
• Incident descriptions: Incident descriptions will be written into the SecurityIncident table and be fully queryable via API, with updates coming soon.

Plan Your Transition Now

We recommend that customers begin planning their transition early to ensure a smooth onboarding experience and uninterrupted access to future innovations. To support this journey, we’ve made the following resources available:

• Quick Start Video
  Onboarding a Microsoft Sentinel workspace into Microsoft Defender
• Video Playlist
  Microsoft Sentinel is now in Defender - YouTube
• On‑Demand Webinars
• Stop Waiting, Start Onboarding – Learn how integration simplifies SOC operations
  https://www.youtube.com/watch?v=I5dhz_0LDCI
• Don’t Get Left Behind – Unlock Sentinel’s full potential in Defender
  https://www.youtube.com/watch?v=0GAxsbzGirw
• For comprehensive documentation, visit our Microsoft Learn page.

 

Looking Ahead

Our goal is to make this transition as seamless as possible while ensuring customers and partners can fully benefit from the evolving Microsoft Sentinel experience. The Defender portal is where Sentinel innovation continues—and we’re committed to supporting you every step of the way.

We appreciate your partnership and feedback as we work together to deliver a modern, unified security operations experience.